Ubuntu下搭建L2TP VPN Server

前端之家收集整理的这篇文章主要介绍了Ubuntu下搭建L2TP VPN Server前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

这是本人第一篇博客,也算是自己的尝试,以前学习东西,一般都是以文档的方式记录。文档有时候容易丢失,所以开始尝试用博客记录学习历程。毕业在即,在此记录毕设的一部分内容

内容:Ubuntu下搭建L2TP VNP服务器(校园网Intranet VPN)

1 查看服务器主机网络信息

:$ifconfig
eth0Linkencap:EthernetHWaddrfa:16:3e:a0:64:0c
inetaddr:172.16.0.61Bcast:172.16.255.255Mask:255.255.0.0(IP地址)

2 测试服务器主机能否访问Internet

此步骤主要是验证服务器主机是否能作为VPN的网络出口。

:~$pingbaidu.com
PINGbaidu.com(111.13.101.208)56(84)bytesofdata.
64bytesfrom111.13.101.208:icmp_seq=1ttl=45time=52.2ms
64bytesfrom111.13.101.208:icmp_seq=2ttl=45time=53.1ms
64bytesfrom111.13.101.208:icmp_seq=3ttl=45time=56.9ms

由终端结果可知,服务器主机是可以ping通Internet的,故当VPN客户端(校园网中的I区即Internet区)连接到VPN服务器(校园网中的Non-I区即非Internet区)时,是可以实现VPN隧道而访问互联网的。

3 切换到root用户,获得root权限

ubuntu@XXX:~$sudo-i
sudo:unabletoresolvehostzhantengfei-vpn
root@XXX:~#

4安装L2TP

安装中若遇到unable to locate package可以使用apt-get update解决,若实在不行也可以使用apt-get upgrade解决,更新源,再安装。

安装L2TP

:~#sudoapt-getinstallopenswanpppxl2tpd-y
sudo:unabletoresolvehostzhantengfei-vpn
Readingpackagelists...Done
Buildingdependencytree
............

5 配置相关文件

5.1 修改ipsec.conf文件

:~#vim/etc/ipsec.conf//使用vim命令查看相关文件,使用ipsec进行加密

编辑好配置文件后“ESC+:wq”保存,以下为编辑后的ipsec.conf

configsetup
#Donotsetdebugoptionstodebugconfigurationissues!
#plutodebug/klipsdebug="all","none"oracombationfrombelow:
#"rawcryptparsingemittingcontrolklipspfkeynattx509dpdprivate"
#eg:
#plutodebug="controlparsing"
#Again:onlyenableplutodebugorklipsdebugwhenaskedbyadeveloper
#
#enabletogetlogsper-peer
#plutoopts="--perpeerlog"
#
#Enablecoredumps(mightrequiresystemchanges,likeulimit-C)
#Thisisrequiredforabrtdtoworkproperly
#Note:incorrectSElinuxpoliciesmightpreventplutowritingthecore
dumpdir=/var/run/pluto/
#
#NAT-TRAVERSALsupport,seeREADME.NAT-Traversal
nat_traversal=yes
#excludenetworksusedonserversidebyadding%v4:!a.b.c.0/24
#ItseemsthatT-MobileintheUSandRogers/FidoinCanadaare
#using25/8as"private"addressspaceontheir3Gnetwork.
#ThisrangehasnotbeenannouncedviaBGP(atleastupto2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
#OEisnowoffbydefault.Uncommentandchangetoon,toenable.
oe=off
#whichIPsecstacktouse.autowilltrynetkey,thenklipsthenmast
protostack=netkey
force_keepalive=yes
keep_alive=1800

connL2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
leftnexthop=%defaultroute
rightnexthop=%defaultroute

connL2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=172.16.0.61//设置为服务端的外网ip地址
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
#Usethistologtoafile,ordisableloggingonembeddedsystems(likeopenwrt)

5.2 使用vi命令修改ipsec.secrets文件

:/etc#viipsec.secrets
#include/var/lib/openswan/ipsec.secrets.inc#注意这一行要注释掉
172.25.11.223%any:PSK"1110005440"//设置为服务器内网的地址,并设置密码(可以自定义设置)
include/var/lib/openswan/ipsec.secrets.inc

5.3 使用命令修改sysctl文件

:~#vi/etc/sysctl.conf
#/etc/sysct.conf
#onlyvaluesspecificforipsec/l2tpfunctioningareshownhere.mergewith
#existingfile
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_ignore_bogus_error_responses=1

5.4 执行如下脚本

forvpnin/proc/sys/net/ipv4/conf/*;doecho0>$vpn/accept_redirects;echo0>
$vpn/send_redirects;done
sysctl-p//使修改生效

5.5 使用命令修改xl2tp.conf文件

:~#vi/etc/xl2tpd/xl2tpd.conf

写入以下信息

authfile=/etc/ppp/chap-secrets
port=1701
[lnsdefault]
iprange=10.0.0.10-10.0.4.254
localip=10.0.0.9
refusechap=yes
refusepap=yes
requireauthentication=yes
name=L2TPVPN
pppdebug=yes
pppoptfile=/etc/ppp/options.xl2tpd
lengthbit=yes

5.6修改options.xl2tpd 文件

:~#vi/etc/ppp#vioptions.xl2tpd
#require-pap
#require-chap
#require-mschap
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns114.114.114.114
ms-dns8.8.4.4
asyncmap0
auth
crtscts
lock
hide-password
modem
debug
namel2tpd
proxyarp
lcp-echo-interval30
lcp-echo-failure4
mtu1400
noccp
connect-delay5000
http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html

5.7修改chap-secrets文件

:~#vi/etc/ppp/chap-secrets
#SecretsforauthenticationusingCHAP
#clientserversecretIPaddresses
Spencerl2tpd1110005440*

5.8最后配置防火墙

@H_502_259@#iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -o eth0 -j MASQUERADE@H_502_259@ //决定客户端是否可访问Internet

iptables--tablenat--appendPOSTROUTING--jumpMASQUERADE
iptables-tnat-APOSTROUTING-s10.0.0.0/22-oeth0-jMASQUERADE
iptables-AFORWARD-mstate--stateRELATED,ESTABLISHED-jACCEPT
iptables-IFORWARD-s10.0.0.0/22-jACCEPT
iptables-IFORWARD-d10.0.0.0/22-jACCEPT
iptables-AFORWARD-jREJECT
iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport1701-jACCEPT
iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport500-jACCEPT
iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport4500-jACCEPT
/etc/rc.d/init.d/iptablessave
/etc/rc.d/init.d/iptablesrestart

其中这两句写入/etc/rc.local:

forvpnin/proc/sys/net/ipv4/conf/*;doecho0>$vpn/accept_redirects;echo0>$vpn/send_redirects;done
iptables--tablenat--appendPOSTROUTING--jumpMASQUERADE

5.9验证配置是否成功:

:~#ipsecverify
CheckingifIPsecgotinstalledandstartedcorrectly:
Versioncheckandipsecon-path[OK]
OpenswanU2.6.49/K3.13.0-65-generic(netkey)
See`ipsec--copyright'forcopyrightinformation.
CheckingforIPsecsupportinkernel[OK]
NETKEY:TestingXFRMrelatedprocvalues
ICMPdefault/send_redirects[OK]
ICMPdefault/accept_redirects[OK]
XFRMlarvaldrop[OK]
Hardwarerandomdevicecheck[N/A]
Twoormoreinterfacesfound,checkingIPforwarding[OK]
Checkingrp_filter[OK]
Checkingthatplutoisrunning[OK]
PlutolisteningforIKEonudp500[OK]
PlutolisteningforIKEontcp500[NOTIMPLEMENTED]
PlutolisteningforIKE/NAT-Tonudp4500[OK]
PlutolisteningforIKE/NAT-Tontcp4500[NOTIMPLEMENTED]
PlutolisteningforIKEontcp10000(cisco)[NOTIMPLEMENTED]
CheckingNatandMASQUERADEing[TESTINCOMPLETE]
Checking'ip'command[OK]
Checking'iptables'command[OK]

@H_502_259@ 以上只要不出现Failed就行,由于L2TP使用1701端口,是UDP传输,故关于TCP的项无所谓

@H_502_259@最终查看连接或者调试错误时查看日志 /var/log/syslog

tail-f/var/log/syslog

6 客户端连接VPN服务器

@H_502_259@首先需要连接到内网,使客户机与服务器处于同一个LAN中。

wKiom1kJil3BFVzPAABOVomqpHI473.png-wh_50

@H_502_259@

@H_502_259@由于我在安装Openswan时,使用的是证书安装,所以在客户端连接时,需要使用L2TP/IPsec证书连接。

wKioL1kJirGA72LfAABJm821z5I758.png-wh_50

7 访问Internet

连接到VPN服务器后,可以访问因特网。

wKioL1kJizfRZdcYAAB72w1iCr0495.png


References:

1)http://lesca.me/archives/how-to-setup-l2tp-over-ipsec-on-ubuntu.htm l#comments

2)http://www.open-open.com/lib/view/open1404374859499.html

3)http://m.blog.csdn.net/article/details?id=8820602

猜你在找的Ubuntu相关文章